CSC 2045 Week 14 Integral Vulnerabilities PDF

CSC 2045 INTEGRAL VULNERABILITIES OBJECTIVES AGENDA: WEEK 14 Understand the potential 1. Why we use data types in danger of type-casting not only C++ integral but also floating-point 2. Integral ranges data types. 3. Integer overflow and security Identify how numerical data 4. Computer Integers types can be misinterpreted in 5. Two's Compliment code 6. Signed and Unsigned Ints Analyze integer overflow and 7. Arithmetic Overflow underflow problems 8. Type Conversions/Promotion 9. Mitigations against integer error WHY WE USE DATA TYPES IN C++ We need data types to inform the Operating System what is the type of data we are handling. Based on the type of data the OS will allocate memory in bytes in main memory for that type. Variables are the names given to data, which means: what type of data we are storing in the variable what type of operations can we perform Variables are the name given to the memory location where we store the data. The space allocated for any variable in the function's stack frame is done by subtracting from the stack pointer enough bytes to reserve the space required of the data type. INTEGRAL RANGES INTEGER OVERFLOW AND SECURITY Integer overflow causes variables to contain unexpected values, and are not as vulnerable as buffer overflow that overwrite memory but... Integer overflows can be extremely dangerous, because it is impossible to detect them after they have happened. If an integer overflow takes place, the application cannot know that the calculation it has performed is incorrect, and it will continue under the assumption that it is. Even though integer overflow is difficult to exploit since integers are fixed-size they can cause unexpected behavior, which is never a good thing in a secure system. COMPUTER INTEGERS Computer integers are NOT the same set of numbers as math integers. Finite set, NOT infinite. What can happen when integer calculations result in a number outside that set? Set carry or overflow flag in CPU. Throw an exception. Convert integer type to higher precision. Saturation (remain at maximum/minimum value). Wrap from max to min or min to max value. Depends on language and hardware. NUMBERS & COMPUTERS Binary Unsigned Numbers Binary Signed Numbers 1 Byte of memory o 8 bits (base 2) o 255 (base 10) 27 26 25 24 23 22 21 20 128 64 32 16 8 4 2 1 TWO'S COMPLIMENT: 4 BITS (STACKOVERLOW) Positive: Negative: 0 to 23 - 1 -1 to -(23) Zero: 0000 NO compliment One: 0001 Negative One: 1111 A number is Two: 0010 Negative Two: 1110 added to its two’s Three: 0011 Negative Three: 1101 complement, the Four: 0100 Negative Four: 1100 answer is 0. Seven: 0111 Negative Seven: 1001 NO compliment Negative Eight: 1000 -N=~N+1 TWO'S COMPLIMENT (CPLUSPLUS) Consider a short variable (2 bytes of memory) having a value of 250. 00000000 11111010 128+64+32+16+8+2 = 250 According to Two's compliment, -n=~n+1, the compliment is -250 11111111 00000110 -32678+16384+8192+4096+2048+1024+512+256+4+2+1 = -250 Prove 250 + -250 using the calculator linked is 0 215 214 213 212 211 210 29 28 27 26 25 24 23 22 21 20 32768 16384 8192 4096 2048 1024 512 256 128 64 32 16 8 4 2 1 INTEGER OVERFLOW 0 UNSIGNED 3-BIT 7 1 000 111 001 What is the value of result? 111 (a = 7) + 010 (b = 2) 6 110 010 2 ----------------- 1001 (result = 20 = 1) 101 011 This is an example of truncation or 5 100 3 loss of data 4 INTEGER OVERFLOW: 0 SIGNED 3-BIT -1 000 1 111 001 What is the result? 011 (a = 3) -2 110 010 2 + 010 (b = 2) ------------------ 101 011 101 (result = 100 -3 3 -(22) + 20 = -3) -4 This is an example of sign change INTEGER OVERFLOW 16-BIT Hypothesize what you believe the result of Test1 and Test2 are. Using the PythonTutor environment linked, try it out to see if your hypothesis was correct. Test 1: Test 2: short a = 30000; short x = 30000; short b = 30000; short y = 30000; printf(“%d\n”, a+b); short z = x + y; printf(“%d\n”, z); WHEN DOES CASTING OCCUR? The result from the previous slide was due to implicit casting. For binary operators +, -, *, /, %, &, |, ^. if either operand is an unsigned long, both are cast to an unsigned long. in all other cases where both operands are 32-bits or less, the arguments are both upcast to int, and the result is an int. For unary operators ++ and -- does NOT change type. WHEN DOES INTEGER OVERFLOW MATTER Integer overflows cannot be detected after it has happened, so there is no way for an application to tell if a result calculated is correct. Allocating spaces using calculation. Calculating indexes into arrays Checking whether an overflow could occur Direct causes: Truncation; Integer casting TYPE PROMOTION When a calculation involving operands of different sizes is performed, the smaller operand is "promoted" to the size of the larger one. The calculation is then performed with these promoted sizes and, if the result is to be stored in the smaller variable, the result is truncated to the smaller size again SIGNEDNESS CHANGES All integrals are signed by default, Integer overflow can cause a change in signedness which can often have interesting effects on subsequent code Signedness bugs occur when an unsigned variable is interpreted as signed, or when a signed variable is interpreted as unsigned. Always check: signed integers being used in comparisons signed integers being used in arithmetic unsigned integers being compared to signed integers There is no distinction between the way signed and unsigned variables are stored internally in the computer. MITIGATION: SAFEINT SafeInf from Microsoft Use safe integers when integer values can be manipulated by untrusted sources and have access to SafeInf.h from Microsoft. Don’t use safe integers when no overflow is possible as they require more overhead and your program becomes less efficient. tight loop variables are not externally influenced MITIGATION: TESTING If applied correctly, testing can increase confidence that the code is secure, but it isn't guaranteed Integer vulnerability tests should include boundary conditions for all integer variables. If type range checks are inserted in the code, test that they function correctly for upper and lower bounds. If boundary tests have not been included, test for minimum and maximum integer values for the various integer sizes used. Use Allow-Box testing to determine the types of integer variables. Testing is not a guarantee though over integer overflow MITIGATION: SOURCE CODE AUDIT Source Code Audit and Inspected for range errors Integer type ranges are properly checked. Input values are restricted to a valid range based on their intended use. Integers that do NOT require negative values are declared as unsigned and properly range-checked for upper and lower bounds. Operations on integers originating from untrusted sources are performed using a safe integer library.

CSC 2045 Week 14 Integral Vulnerabilities PDF

Document Details

Tags

Related

Summary

Full Transcript